secrets: split home and common secrets

2024-07-08 15:02:54 +02:00 · 2024-07-08 15:02:54 +02:00 · 2532fef033
parent 435f032287
commit 2532fef033
7 changed files with 100 additions and 44 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,7 @@ keys:
  - &host_tsuki age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
  - &host_kasei age1eu2a6m3adakfzelfa9pqpl74a5dz0wkyr0v7gegm5ajnx7aqmqcqsp2ftc
  - &host_dosei age179y7apa80p9unvyjtsphpzyhve90ex986vlxkx43xt9n6m7en3csqnug7c
+  - &home age10f4a5acpar8vwz3v298r3nv7gggfpmyh4wxpkc2hwq9paq0scf8qee8lau

 creation_rules:
  - path_regex: secrets/common.yaml
@ -13,6 +14,14 @@ creation_rules:
        - *host_tsuki
        - *host_kasei
        - *host_dosei
+        - *home
+
+  - path_regex: secrets/home.yaml
+    key_groups:
+      - pgp:
+        - *gpg_h7x4
+        age:
+        - *home

  - path_regex: secrets/kasei.yaml
    key_groups:
--- a/flake.nix
+++ b/flake.nix
@ -190,7 +190,6 @@
                    inherit inputs;
                    inherit (self) extendedLib;
                    inherit (config) machineVars;
-                    hostname = name;
                    secrets = secrets.outputs.settings;
                  };

--- a/home/config/ssh/default.nix
+++ b/home/config/ssh/default.nix
@ -6,10 +6,9 @@
    ./pvv.nix
  ];

-  sops.secrets."ssh/secret-config/home" = {
-    sopsFile = ../../../secrets/common.yaml;
+  sops.secrets."ssh/secret-config" = {
    mode = "0444";
  };

-  programs.ssh.includes = [ config.sops.secrets."ssh/secret-config/home".path ];
+  programs.ssh.includes = [ config.sops.secrets."ssh/secret-config".path ];
 }
--- a/home/home.nix
+++ b/home/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, extendedLib, inputs, machineVars, hostname, ... } @ args: let
+{ config, pkgs, lib, extendedLib, inputs, machineVars, ... } @ args: let
  inherit (lib) mkForce mkIf optionals;
  graphics = !machineVars.headless;
 in {
@ -53,8 +53,8 @@ in {
    ./services/copyq.nix
  ];

-  sops.defaultSopsFile = ./secrets/${hostname}.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.defaultSopsFile = ../secrets/home.yaml;
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519_home_sops" ];

  sops.secrets."nix/access-tokens" = {
    sopsFile = ../secrets/common.yaml;
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -13,7 +13,7 @@ in {
  sops.secrets = {
    "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };

-    "ssh/secret-config/global" = {
+    "ssh/secret-config" = {
      sopsFile = ./../../secrets/common.yaml;
      mode = "0444";
    };
@ -64,7 +64,7 @@ in {

  programs.ssh = {
    extraConfig = ''
-      Include ${config.sops.secrets."ssh/secret-config/global".path}
+      Include ${config.sops.secrets."ssh/secret-config".path}
    '';

    knownHosts = {
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@ -3,9 +3,7 @@ nix:
 wstunnel:
    http-upgrade-path-prefix-envvars: ENC[AES256_GCM,data:aS7Kvpj9aHtaiKZiakDuvdiDcVYFMkYv9FIH060Dbkahk6v+2bbxzgKcRtnDnLlphtGlZD7yWRcbvlYiG7Y5mRNS1X5PkspQwFKKnwGGHiWgfun9yxB6VHvPdb4W4SNA8QfRmqH4XmJUfDSPmZfh5Ggzhy7/74avC0vfqKBvQ+ml4fjqTmdS6EkFGrrUwIXFrjiCqdxnNYmp8I/L1b22R5YoY/JTsc4mG6N9s3B75GvsYI2EDG4vQ7EMyktd2CHsXJgNFRQUM+GzBbkO4VvG,iv:EbuV/2L+p4A+aloC6uQYiFFF7Lsz5A5RTGMuHMqtTpI=,tag:DThZOERbXuUdDJso7ertbg==,type:str]
 ssh:
-    secret-config:
-        home: ENC[AES256_GCM,data:eUfhQb6yYYV3951sdwZpA1f8k+79mm1bMYY4EP+tn1g7DEHXG9XHYKPL3FLJMkaaXSWv5jbBZ3zrGodJPMH9VbcFOjvSdz9u56DnmyeR3S7Pwgj1YbELDn9akeVRpjcB1w2k8hn2vNIY1MV4vg==,iv:LQpS168sxPVegrlPJNZrVZE+GsZAMxRSl4EaHO6FFxg=,tag:w5SNj7LkYd+22SbLVbtsDQ==,type:str]
-        global: ""
+    secret-config: ""
    nix-builders:
        bob:
            key: ENC[AES256_GCM,data:CfzF32ELxePyls+JgxLRN3HeIyRGnH5G5MRuL23YGZ5DqBqjIjgoL64zzHB2tIn9D8RjUzmYxU7y70mwoej0V/Vr3qHtUkv2tC+XXw0uN4Be9n5iMo52Ovi+ZE4BVkKE94Y98YZtr0IbbjmgYAj+FS30lfld1KydKfmQUhzijIX8zUchL3spFwdxZSFQv2skXetEu9eIGMYeSTd7CSNk72zVONaW5s0cdKH0iLcO27CyzB3qArdn27gBbgn0rHvoaEvEMJGz4h4RHjk+JIU9+PKEqU8LMZOSYmD2wumX9W4s2L+YC5b5CDUvHaP0+n2bilpYCRuBlWMIzrNgkKyszVeNL+UnDM2nl1pF+ymapyrfyOGALuBoFd61uqE94/cCX21DAEB6E7SZtkQI/inKk1Wm7rvKEmTCjpHRNLf2J5i1IeePeHp1/ODHTfWZogtxh/SjpsR/ioGbt2X5yUvX+Xb6Ks35YwNyxVyXYV5azD60oQF/FSFwqNqRiNX/UE7a+FDwFgDoPleDOvJcv/35QZM6c9xYfWtUioKc,iv:LPQ+eJNeuL0SQRr1crRR2t4nZSanOihNrUK0mtdI3so=,tag:GjTZ+VbxYAqNDVg9m3IDVw==,type:str]
@ -25,51 +23,60 @@ sops:
        - recipient: age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTis4dldlaGJmVjN3dUU0
-            UHZHaXRHWU9wRWo5OVlVRitnV1NrKzBxb1RzCjhhMWxzbGczdDNmSTUvZis5SWp5
-            b2lTNC9MTFRDSnl2UGVoTjRoRFFSaEUKLS0tIFZkNEk2aGIwZm1XR1BJYUNkZE8z
-            U0RoMVNmUGwrV0J0UlJTK2ppdzNDMlUKaUuklGVibBHi4OAowm5vwZHTVapcCgfN
-            y7r2/9aDZ5BGsLu2syTnEaRvbvTwABUUbwLlVR0a27xdvn81m0G5sA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweE1kMlFnZVZxZ0dhblVn
+            SjBrU3lUSlFtL2lCWm1VRUtocTdCWVg2aUJFCmc5dEJNdlpGSnFJSjhCNEZmQVc2
+            VVplaldBUlV6TSt1V0lJdTNGWEJpL0kKLS0tIGVhVng4c28wVTdpVXdrdll6N3dj
+            S0N3UldMUWl3VTBBajZkbTFQSzJVNzQKkjgkwjVL3tTJGL4raaRRAflyen6lrCjf
+            qIDU6yVaRPoeg4PMQyjT8B7Lvw/MAAir+v4dO+Wq+026YwEqasWmRg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1eu2a6m3adakfzelfa9pqpl74a5dz0wkyr0v7gegm5ajnx7aqmqcqsp2ftc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMFFZbk14YnJvcWNLNGV3
-            NUhhMXpRWEhoRXZqaDNEMnF0YjYrMWxQTlV3CjBNUEpUeHpiWEVwMHFSMHlNVXNC
-            V1JxTDhhSWtIcjc2c2NwTWxLS1gxVk0KLS0tIDZFb2hzdEdNbkNkYmxieVVUdmV4
-            WDdGRUtDWmxIRkNDM0FjMWdFdXFDSDAKPbMyMqNDmpA92Gzpafd3Z+H85Gn/OSz+
-            GZ1IpfWSdF9RWRmuHxGIqiNXK53Us+YR7GVhqduwY0ueAh3wMCYyGw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RStsMFU2VkJzelpSMnZr
+            VEd0ZTYvMG9rbGtTellidnhBU3ZqSXJyOGl3ClJEOXdlVXBIZStIZkF1aHVqM1Jr
+            RVI1WXhCWVo4ODZRR3dXdDBSWE4xckUKLS0tIGtjNXJmYSszTVRQcDlmWnlwZ0pL
+            MXlQczBBZVpYdzhoRmowZHdiUWN0WWsKTf3WPqKO68UkgJiaN2WpiKqzRhlrfZB2
+            XX1g3GzOXBubWsbJXM7ibxSWhZj2XRIZF3i4kkLpaIF/wB+df0iagQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age179y7apa80p9unvyjtsphpzyhve90ex986vlxkx43xt9n6m7en3csqnug7c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eml4UFJ1dVdmUjROZGxv
-            akRzWmV2ZWlNak9IV2hVUnI1YW5Nazk5RzJVCm5ab0YwQTdUWlU5OW9nTlI4N2pK
-            RXBrQWhYN29OSEVCL21MZ25ZRXN4VjAKLS0tIE5WM2xkaVY0bEVwVUNsUXdnU0ta
-            UllPc1JCTXoxUERMM05abjhnR0g0d2sK/wyBVH6Dxris4TF05POtYQbWj4DWOeID
-            RAdf30dDVtmg4qPwsHiIQ8f10gA1DrgIrcae0JS5VZcRLRw5/4+g9Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RVIzVFlVVDdqU2tFZ3lD
+            T2NtdjBabmU1cVc3QlRkWnU5ZldodmlHZkJRCjZIcFllSGVoSEVtUkFFVXI1eXd6
+            cjhRbVhLM25HQjlobnNOK0ZiNGE3R1EKLS0tIGdES2I4Y3ZCWWtOVkNyZDZ3V0d3
+            V3NFU3ZuUjFxeHNyUGZXdW9aUElKM1UKutap6vQBYUAuDrnFKBa1J6PcjeTV03a1
+            G6+jlJsBhMlUkiavWiqZ4JuGtSF3tCPZwf+NzuOZfGfjD3YOVHqY/w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-28T13:06:09Z"
-    mac: ENC[AES256_GCM,data:H19kxVh+pcjGhD78WHQYMGQ/0HY/F4NF6sYCvjn4hqPfFTJDDcVJ7QFxm2LL4Zz/+KNcI3qvnXO/g/MyaVxyJMyKC9LFwHT/0TwMRW1uHSBahPASFYvN0/h+6hp6TI9/DPeWjKEGk+1j1tU665YpnqYdOtRUfQEB02fmLf2jSiw=,iv:b0b4m/SlGNXBQ3ulLhbSHngSLZiFipPV+yAD6MG8vAo=,tag:B3oHJkWlFpY+g6dVkApDMw==,type:str]
+        - recipient: age10f4a5acpar8vwz3v298r3nv7gggfpmyh4wxpkc2hwq9paq0scf8qee8lau
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelFCVGo4L0QrUnNqdWRm
+            cTR4TnJNdGx5SE82cEYzMk9ybmVzeUQ1MHlJCmFEbXZCVFBQUmVFMXFlVnQ1OFdI
+            R0RDNU5XYVNUbmRZSUJUU1VQQk1SdlEKLS0tIG02Q0dIdlJiRWt2cFJTN1VSbTVW
+            MGo3NEZyVlVWUDlVdGZyT2dVV3lxeUEKZGLbJ/PAmHdzfUfDvAQD/Nq179ooElth
+            mfF8FLeFoydSYAxXCDAw/JgjUPXckyjPXEjo3dnSBVec1Q6qHhPBpQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-08T12:29:09Z"
+    mac: ENC[AES256_GCM,data:z7J2kMlnqp6RJJj//O8j8W6O7HJkTGAbW0LW4Z6F4m0Fj18bylMQJ7kbNmf7mK5PHnItdHFnWJ/kY1vaXN7gD1SJccZ+jJcWI+nR3i5nr5GpQKoVlB1zYvBir5+CY6C7jJHpJim8WhfXG/hagSZrJ8Hz3hQon8j377g4XSTaHm0=,iv:2kg8iBuv3FWbWs3E5l5XTXzZ8i3tGCAK/PhJI4zWnNI=,tag:a/gNiM7zDqdf/arYNGeAIQ==,type:str]
    pgp:
-        - created_at: "2024-06-26T07:42:59Z"
+        - created_at: "2024-07-08T12:38:34Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA0av/duuklWYAQ//UQlQMjOkq53Ic8HTVTF+1594HNJKq75t6ewgSNVJy0yd
-            spwqbnmZooQRvhK0ewnFQMldmsD/7NwnLJmV/ARUaJJRXGTltWnh5oxvPKB7b4Qw
-            9oxk8gOPyiBHq/oBMsrS1F5uYRd+/HliHcKR37PdXchEpy1CzuASjJ8fv+pUCy/1
-            jiuHiZEK5yLhjAMb7UsXVZXit1jP+VMBZJk3qzTXTRqewF+Rea2P6BXo5RQAyF9M
-            xv6q+SItFPHglmyzkHvO1gg7lisohTY9fv51M9tcmPtUWnAeGywik8xT2RA5l5w2
-            WPf7g0QIqWC6FmybsWdcBAWJCGKvsfCveEtY5J+29BYfCkPlhuKmou8CZwzIB66p
-            AsQMmu8JwbGSEYe78r/zy379ybQ/H7j/8uGDsJmAJqKvJfG1o6QsAlpj+fSoSU/5
-            k9E5OyEdRyws4W1CoaAvyTML8gSXBXpA9oIZx5WYYh6mJ+ETNfDlaIAGXY2Sbdr+
-            IGkLhvGETQGbCW4EZB0hDEE3QmzNolYR6YybL74HtGQT2XOWg0+UkTZZ1ZRw+jHk
-            bY6XQbloTQpSI6tFCGq5hQeVQDH17lTb/sEh0qAZkdAguvUgPlO6PHV5cS3SXAS7
-            Ga7vllL8VOq/dbJ5ll7xbnxwBxkDrVqu2fCnS9L3P/biteafB/d0gRhjhFEhaUHS
-            XAGVZdphiKbcydow/ucviT2TlZVmi7yWLcfk+uEPxf0mb5FMFRSasSmAvp4b7Wcz
-            lNBuJPjOnYrkootAaLSUAdMukfAin1HGWxmINsybPzuPFlTxR3RSgjBQn/2w
-            =kNmC
+            hQIMA0av/duuklWYARAAvyl5qLP6x5yEGccj6rvoDwvY4G28bFKu5J+xS9UnKp5O
+            /ANlKgglGGJ3Sym2Mya4g9Lr49GmZDXSSWcWyktTbn8m1zL4bNdwVyRLLzCthYuG
+            piZeFgzzlAve2rUT38QvTjeLqPgmAtoUGgkLzjl7kWJ3a28Fdx4BaGqKdFgd3u/J
+            ZjTudSRj6xOUv/9qyh/bs6eT4vJYZxMf31n3Y+v5njnWPWTxYb2EgtBdH/KM/uuB
+            gcFQRtBWHKhaNNDQpHZ8nKivFhyyzmkW98FkGX53+RjdkxtS1PznbpkQDR/HDfBJ
+            R+a09EAc0ac/0A++KGLR2UQ5szpGsiYrTrcGFrd8diCBOUMeszRxPgTWQK0PdRli
+            UP12HHHwESmzeZCji/gjsa31c+4fCdyEoHm924/Z+OhVoC2R+oGU+sVDBpLrPSKa
+            Y9EPRmjF63oUm9QIELomke61ylswET372RQyBOOHw2dsPq8AK02wmMKkyHnMN/wG
+            Dhjv+rti97h42xe5X6q/UC2yis5YWB17Zhf51zo1XujB40TFAwQfhfh3F1s1+dKj
+            aVoyvEp5Fk7ryY4YN/D7Eq1qJfwE73ycwoLcZvkeNzIf3839vQJ5ferWkATeQ3qm
+            f8mb/uhQzxMYJsUcBz9UzMVzX5t7WNo3zAWddnHg1/WypbPi2ettn4C9lXYLV27S
+            XAHSfXSeC2ylzWVQeWESFd2U+/8kkYNsv0g5f97ktF7e4PV+F/4Xz2Mc30iAJ4AE
+            3jbC0rVpmBmQeo4OkiyuPT5LEwdEzNQXXBTqdUTuF+LEK6ORUyAY72jRWRkX
+            =n0Ia
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/home.yaml
+++ b/secrets/home.yaml
@ -0,0 +1,42 @@
+ssh:
+    secret-config: ENC[AES256_GCM,data:HFrGyBiqNJJOzWhoDBosh7Kub7zz2cJvE6FphapqFeZ3ZNqG27nVu6G9JsLiIZBtsSgBcne0WEV+vNY07d6QBHX/IHryNczhrIEkiI9yNBORBvIOVLS9J4bP/ueUBn4EmLVBQ5tW5/s+0RNSTw==,iv:6bhpPR5QjnnO44p0NCjXl9P/TVP+Tdi61gU3RddNCIU=,tag:QAWcPbwAW1Fmue7CzFWF8w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10f4a5acpar8vwz3v298r3nv7gggfpmyh4wxpkc2hwq9paq0scf8qee8lau
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEN09QV2FpRUFzQW5oSnUx
+            V1FTa0RZK0Juek1aNWNzZm1TR255YzJOWlFjCmNDSXhLbkxNZGMyOGxNaWxoUkxp
+            c2RON3RCNGV1ZnM4SEVHaHluOFNidUkKLS0tIDdJTlhsVWpLMXJ0UkNRNVlQUnd0
+            QllyaVlIVEVrSlJDZzlwdFpoRlg3bmsKYBGLYmsfFu6GuRUPGsS0+vkUv1QzJXZl
+            D9CFcRQw0Xzti0DvDj7cWrCJ32F1eYRp/9LWyG1CEjfoNEKyUJZ2qQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-08T12:56:35Z"
+    mac: ENC[AES256_GCM,data:NOs6g8PKDBwbimZLumnde2ohhxRKxajORZMI1kraLgbow8uFUO9CreEMz5epRFMqesClFuWQXJfpki9dxONYs4zsIaPjuZWi9a1d3eUf+AGw5Ey6GKEh5z/oSQkfK3CCYH9g9E+iOeK8eCHPMYAwAPSyxCBumEoIuwOrUlgdGlQ=,iv:vXWOqw4ZPZkMktuKU5WmA8AAsBniyxbjfVaI+9TpH9M=,tag:MmHBM527T8egbIvpUNPiuQ==,type:str]
+    pgp:
+        - created_at: "2024-07-08T12:27:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAvygqGcBQohvHxwGMjDqwaYxVOLHUCY+EWdQYCGlhvJ9o
+            kdmrwJs8coePs2CBGq98Yo6LuplI9ArTjAsSSG8dYXC8LR51ts++XHkqoSMsEQdO
+            CF4DonDNy1+goHgScM2JBgVij+zUd1SumJHiuXdCu9MsNMoo1pIjE9xTTQiYutx7
+            gz6Q4AITBmjqZgfxjNWLXq7iuIFiu5YEiluc7TP+FUfabOljQCzbmYHg7f/7ZpCM
+            pEko4fdRRwqCrdzjHAmoUXbqy0yU67yoK0fBFu6wnrZOFk/nSzgEelnSb0kx9z88
+            aET6NuLbZa0I72Z9xEcpECdRNSGRt/UXFIKBR0JyNmBLhZcERq3Tm7zG72Cmmi8g
+            jL6oPTfi0B0nv7nLWXCj8kHFFDI0Ck5H6ZlQ5y7Tu/VTuNnrdoHwn/hCh0b25Y9s
+            uJZuVpO2l/W6sb3Db6u/eeMvy8by1vvvFDEj75zKyImPP4bbn4nlJyu4qJ8scefX
+            5y97DbXmsssEgOgogojf6JKfyJ53Xy4/ROEnje9S+nrNlgQJKUrP2JVkppq357os
+            R6z5mZJAR5LkQ7nC0hkxvbGDyRys8qEIXgyzzPcx/imepH4H92v3X5xTcWmue3QO
+            GPGXty45HVNXQM05q7UrAXOf50a0IZFnYeVD1f0swVd/Fc1WDeDxXWmhgcgxPXzS
+            XgETKOrQh/7hefJqaeDNT4KTZ/Bnkz1gul1n+BsMSkd8sa9sXQNB2JMwhNQFSdcP
+            C011agjjx0BkUHArCFbGbCaXnFlB8nuC1xJDZ9US/IEUF5hy4Ozu1LJHJuF20dw=
+            =H2VJ
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1